Posted tagged ‘internet explorer’

It’s a given that you want to keep yourself safe from clickjacking scams. They’ve been known to cause all kinds of trouble. Not only do they post potentially embarrassing information to your social networking profile, but they can install viruses on your computer that will steal personal information that lets hackers commit identity theft.

You’d expect all Internet browsers to take this threat pretty seriously. After all, who would want to use a browser that exposes you to such a threat?

Unfortunately, though, some browsers are better than others at protecting you from clickjacking threats.

IE 8, for instance, looks for a tag that website designers use to prevent content from loading in frames. By getting rid of the frames, you solve a large part of the clickjacking problem. IE 8, however, relies on the website, not the user. That’s not very helpful for most people. If individual users had the option to say “don’t use any frames,” then they could rely on near-universal protection. When you leave it up to website developers, though, you’ve only offered help for those that don’t need it. If a website chooses to use the no frames tag, then they’re obviously not trying to clickjack visitors. That leaves things wide open for clickjackers that create sites specifically to attract victims.

This is the kind of protection that could actually cause more harm than good.

If nothing else, Internet Explorer should alert users when they have reached a page that does not protect them. Then the user can decide whether he or she wants to proceed. It would also encourage more web designers to include the tags when they build new sites.

NSS Labs has released a surprising report showing that Internet Explorer 8 blocks social engineered malware (malware that tricks people into performing tasks or allowing functions unknowingly). According to their report, IE 8 offered more protection than Firefox 3.6. Safari 5, Chrome 6, or Opera 10.

Ask pretty much any computer nerd and he (or she) is going to tell you that there is something bogus about this survey. No one in the know would consider using Internet Explorer.

What the report could reveal, though, is that IE 8 works better than previously thought. The reason that computer nerds go for Firefox and less popular internet browsers could have something to do with their specific needs. In general, hackers are not using clickjacks, phishing, and other types of social engineered malware to attack people who know a lot about computers. They want to target people who, quite frankly, don’t know what’s going on and are very naive. They are easy targets.

While it is commonly held that Firefox offers better protection than Internet Explorer, it could be that IE actually offers better protection for the average user. Firefox users typically install additional applications that customize their experiences. Installing additional security makes Firefox safer, but average people who don’t know much about internet security technology probably don’t know how to maximize that protection. For these people, IE works well right “out of the box.” They don’t have to worry about setting up anything extra. They just open the program and start surfing the web.

In bare bones versions, IE might beat its competitors. Thinking that you are really safe by using the basic IE 8, however, could lead you to fall for clickjacks and phishing schemes that you can only prevent by knowing how to spot them.

Facebook, Twitter, and many other popular websites claim that they protect users from clickjacking attacks by including the “X-FRAME-OPTIONS:DENY” tag that prevents browsers from hiding links in invisible frames. This sounds like a great step forward, but does it really help that much?

Including the tag is pretty much the best thing that a website can do to protect internet users from clickjack attacks, but it certainly does not protect everyone. This tag only works in conjunction with the latest browsers. If you’re using IE 8, Chrome 2, or Safari 4, then you’re probably in good shape. If you’re using an older version of these web browsers, then you are susceptible to clickjack attacks. Currently, the latest edition of Firefox does not even acknowledge the tag. Firefox does plan to improve security by recognizing the tag in future versions. Plus, Firefox has the optional NoScript plug-in that can help prevent clickjacks.

The point here isn’t that Facebook, Twitter, and other sites aren’t doing what is in their power to prevent clickjacks. The point is that it’s dangerous for them to make claims that aren’t true for many visitors. Including the “X-FRAME-OPTIONS:DENY” tag does qualify as improved security, but putting this at the center of your security-focused marketing encourages people to feel safer than they really are.

It’s not necessarily inaccurate. It’s not even necessarily disingenuous. But it is dangerous for the millions of people who use Firefox and older browsers. Many of them think that they are protected from clickjacking, but the truth is that they are victims in waiting.

Subscribe

Click Jacking Jack syndicates its weblog posts
and Comments using a technology called
RSS (Real Simple Syndication). You can use a service like Bloglines to get
notified when there are new posts to this weblog.